b"                       0\n\n   SELECTED GENERAL CONTROLS OVER THE RETIREE AND\n    CASUALTY PAY SUBSYSTEM AT THE DEFENSE FINANCE\n      AND ACCOUNTING SERVICE CLEVELAND CENTER\n\n\n\n\nReport Number 98-098                       March 30, 1998\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0cAdditional    Copies\n\nTo obtain additional copies of this audit report, contact the Secondary Reports\nDistribution Unit of the Analysis, Planning, and Technical Support Directorate at\n(703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932 or visit the Inspector\nGeneral, DOD, Home Page at: WWW.DODIG.OSD.MIL.\n\nSuggestions   for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Planning and Coordination\nBranch of the Analysis, Planning, and Technical Support Directorate at (703) 604-8908\n(DSN 664-8908) or FAX (703) 604-8932. Ideas and requests can also be mailed to:\n\n                       OAIG-AUD (ATTN: APTS Audit Suggestions)\n                       Inspector General, Department of Defense\n                       400 Army Navy Drive (Room 801)\n                       Arlington, Virginia 22202-2884\n\nDefense Hotline\n\nTo report fraud, waste, or abuse, contact the Defense Hotline by calling\n(800) 424-9098; by sending an electronic message to Hotline@DODIG.OSD.MIL; or\nby writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900. The\nidentity of each writer and caller 1s fully protected.\n\n\n\n\nAcronyms\n\nDFAS                   Defense Finance and Accounting Service\nDISA                   Defense Information Systems Agency\nDRAS                   Defense Retiree and Annuitant Pay System\nOMB                    Office of Management and Budget\n\x0c                            INSPECTOR     GENERAL\n                            DEPARTMENT   OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                            ARLINGTON, VIRGINIA 22202\n\n\n\n\n                                                                       March 30, 1998\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n               SERVICE\n\n\nSUBJECT: Audit Report on Selected General Controls Over the Retiree and Casualty\n         Pay Subsystem at the Defense Finance and Accounting Service - Cleveland\n         Center (Report No. 98-098)\n\n\n         We are providing this audit report for information and use. The audit was\nconducted in support of our financial statement audits required by the Chief Financial\nOfficers Act of 1990 and the Federal Financial Management Act of 1994. This report\nis the first in a series of reports that will be issued on the Defense Retiree and\nAnnuitant Pay System.\n\n        We considered management comments on a draft of this report in preparing the\nfinal report. The Defense Finance and Accounting Service comments conformed to the\nrequirements of DOD Directive 7650.3; therefore, additional comments are not\nrequired.\n\n        We appreciate the courtesies extended to the audit staff. Questions on the audit\nshould be directed to Ms. Kimberley Caprio, Audit Program Director, at\n(703) 604-9139 (DSN 664-9139) or Mr. Dennis L. Conway, Audit Project Manager, at\n(703) 604-9158 (DSN 664-9158). See Appendix D for the report distribution. The\naudit team members are listed inside the back cover.\n\n\n\n\n                                  Deputy Assistant Inspector General\n                                            for Auditing\n\x0c\x0c                        Office of the Inspector General, DOD\n\nReport No. 98-098                                                        March 30, 1998\n   (Project No. 6FG-0093)\n\n\n\n      Selected General Controls Over the Retiree and Casualty Pay\n        Subsystem at the Defense Finance and Accounting Service\n                           Cleveland Center\n\n                                Executive Summary\n\nIntroduction. The audit was conducted to support our audits required by the Chief\nFinancial Officers Act of 1990 and the Federal Financial Management Act of 1994.\nThis report is the first in a series of reports resulting from our audit of the Defense\nRetiree and Annuitant Pay System. The report addresses our review of the general\ncontrols over the Defense Finance and Accounting Service Cleveland Center Retiree\nand Casualty Pay Subsystem (the Subsystem)--one of the two subsystems in the\nDefense Retiree and Annuitant Pay System.\n\nThe Subsystem was used to account for 1.8 million retirees and to disburse an average\nof $2.3 billion each month from the DOD Military Retirement Trust Fund in FY 1997.\nThe high volume and dollar value of transactions processed makes effective controls\nover the Retiree and Casualty Pay Subsystem essential to ensuring the production of\nauthorized, accurate, complete, and reliable retired pay data for the Fund.\n\nAudit Objectives. The overall objective was to evaluate general and application\ncontrols over the Defense Retiree and Annuitant Pay System to ensure the production\nof authorized, accurate, complete, and reliable data. This report addresses our review\nof the general controls over the Retiree and Casualty Pay Subsystem. (General controls\nare management controls that apply to the overall computer operations of an\norganization). Also, we reviewed the management control program as it related to the\nRetiree and Casualty Pay Subsystem.\n\nAudit Results. The Defense Finance and Accounting Service had implemented\ncontrols to include establishing an overall security program, implementing procedures\nfor developing and changing computer software (such as computer programs),\nseparating duties that could allow undetected and unauthorized or fraudulent activity to\noccur, establishing controls to monitor the use of a system\xe2\x80\x99s software, and establishing\nprocedures for preventing disruptions in service to customers. Additional controls were\nneeded for monitoring and updating the security program, limiting access to the\nSubsystem, and providing for continuity of operations.\n\nAlthough we did not detect unauthorized or fraudulent activity, the need for improved\ncontrols over the Subsystem increases the possibility of such activity occurring.\nImplementation of these controls would increase the level of confidence that managers\ncan place on the authorization, the accuracy, the completeness, and the reliability of\nretired payments.\n\x0cAdditional management controls recommended in this report will:\n\n        o reduce the possibility that fraudulent activity occurs or ensure it can be\ndetected in a timely manner, and\n         o ensure the continuity of operations in case of a disaster. See Appendix A for\ndetails on the management control program and Part I for a discussion of the audit\nresults.\n\nSummary of Recommendations. We recommend that the Director, Defense Finance\nand Accounting Service Cleveland Center, update security documents, monitor access\nto the Subsystem, and establish improved controls over the security of the Subsystem.\n\nManagement Comments. The Deputy Director for Finance, Defense Finance and\nAccounting Service Cleveland Center, agreed to update security documents, monitor\ndaily reports of accesses to the Subsystem, and conduct periodic reviews to identify\ndeficiencies in the security controls over the Subsystem. The Defense Finance and\nAccounting Service Cleveland Center requested clarification of information regarding\nsecurity clearance levels assigned by Center personnel for security officer positions.\nThe Center was concerned that the draft report inferred security clearance levels were\nnot designated for security officer positions.\n\nThe Center also requested the basis for the assistant information security officer\nposition to be designated critical sensitive, the same level of clearance as the\ninformation security officer position. See Part I for a complete discussion of the\nmanagement comments and Part III for the complete text of the management\ncomments.\n\nAudit Response. Our intent with regards to security clearance levels was not to infer\nthat clearance levels were not designated, but, to request that management review the\nappropriateness of existing clearance levels. Further, in the information security\nofficer\xe2\x80\x99s absence, the assistant officer would perform the information security officer\xe2\x80\x99s\nduties, therefore, we contend that the assistant officer should possess an equivalent\nlevel of clearance. Defense Finance and Accounting Service comments were\nresponsive to the recommendations; therefore, no further comments are required.\n\n\n\n\n                                                 ii\n\x0cTable of Contents\n\nExecutive Summary                                             i\n\nPart I - Audit Results\n      Audit Background                                       2\n      Audit Objectives\n      Controls Over the Retiree and Casualty Pay Subsystem\n\nPart II - Additional Information\n      Appendix A. Audit Process\n        Scope and Methodology                                16\n        Management Control Program                           17\n      Appendix B. Summary of Prior Coverage\n      Appendix C. Major Categories of General Controls       :;\n      Appendix D. Report Distribution                        23\n\nPart III - Management Comments\n\n         Defense Finance and Accounting Service Comments     26\n\x0c\x0cPart I - Audit Results\n\x0cAudit Background\n\n     This report is the first in a series resulting from our ongoing audit of the\n     Defense Retiree and Annuitant Pay System. The audit was conducted to support\n     our audits required by the Chief Financial Officers Act of 1990 and the Federal\n     Financial Management Act of 1994.\n\n     On August 8, 1991, the DOD Corporate Information Management Financial\n     Management Steering Committee approved the Defense Finance and Accounting\n     Service (DFAS) proposal to standardize and consolidate DOD retiree and\n     annuitant pay systems.\n\n     The DFAS Cleveland Center Retired Pay System and the DFAS Denver Center\n     Annuitant Pay System were chosen to be integrated as the Defense Retiree and\n     Annuitant Pay System (DRAS). The Cleveland Center Retired Pay System was\n     renamed the Retiree and Casualty Pay Subsystem and the Denver Center\n     Annuitant Pay System was renamed the Annuitant Pay Subsystem.\n\n     Retiree and annuitant pay transactions are processed on computers managed by\n     the Defense Information Systems Agency @ISA). The DISA Defense\n     Megacenter located at Chambersburg, Pennsylvania, processes transactions for\n     the DFAS Cleveland Center Retiree and Casualty Pay Subsystem. The Defense\n     Megacenter located at Denver, Colorado, processes transactions for the DFAS\n     Denver Center Annuitant Pay Subsystem.\n\n     This report discusses our review on selected general controls over the DFAS\n     Cleveland Center Retiree and Casualty Pay Subsystem. The Subsystem was\n     used to account for 1.8 million retirees and to disburse a monthly average of\n     $2.3 billion from the DOD Military Retirement Trust Fund in FY 1997.\n\n\n\nAudit Objectives\n\n     The overall audit objective was to evaluate general and application controls over\n     the Defense Retiree and Annuitant Pay System to ensure the production of\n     authorized, accurate, complete, and reliable data. The report addresses our\n     review of the general controls over the Retiree and Casualty Pay Subsystem.\n     Also, we reviewed the management control program as it related to the Retiree\n     and Casualty Pay Subsystem.\n\x0cSee Appendix A for a discussion of the audit scope, methodology, and the\nmanagement control program, and Appendix B for a summary of prior coverage\nrelated to the audit objectives.\n\n\n\n\n                                    3\n\x0c            Controls Over the Retiree and Casualty\n            Pay Subsystem\n            The DFAS Cleveland Center needed to improve critical information\n            system security controls over the Retiree and Casualty Pay Subsystem.\n            Three categories of security controls needing improvement were\n            monitoring and updating the security program, controls over access to\n            the subsystem, and providing for continuity of operations.\n\n            Information system security controls were not fully implemented or\n            maintained because the DFAS Cleveland Center had not ensured\n            compliance with some security requirements. The absence of these\n            security controls increases the possibility for unauthorized or fraudulent\n            activity to occur or to not be detected in a timely manner. Also, the\n            absence of these controls lowers the confidence that managers can place\n            on the authorization, the accuracy, the completeness, and the reliability\n            of retired payments.\n\n\n\nSystem of Internal Controls\n\n     Office of Management and Budget (OMB) Circular No. A-127, \xe2\x80\x9cFinancial\n     Management Systems, n July 23, 1993, states that financial management systems\n     shall include a system of internal controls that ensures resource use is consistent\n     with laws, regulations, and policies; resources are safeguarded against waste,\n     loss, and misuse; and reliable data are obtained, maintained, and disclosed in\n     reports. These system-related controls form a portion of the management\n     control structure required by OMB Circular No. A-123, \xe2\x80\x9cManagement\n     Accountability and Control, * June 2 1, 1995.\n\n     Also, OMB Circular No. A-127 states that agencies shall plan for and include\n     security controls in financial management systems in accordance with OMB\n     Circular No. A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d\n     February 8, 1996. OMB Circular No. A-130 establishes a minimum set of\n     controls to be included in automated information system security programs.\n\n     DOD information systems should include a minimum of six major categories of\n     general controls. General controls are management controls that apply to the\n     overall computer operations of an agency or an organization and include the\n     following:\n\x0c                           Controls Over the Retiree and Casualty Pay Subsystem\n\n\n           o establishing an overall security program,\n\n           0 limiting access to automated systems,\n\n           o implementing procedures for developing and changing computer\n    software (for example, changing computer programs),\n            o separating duties that could allow undetected and unauthorized or\n    fraudulent activity to occur,\n\n           o establishing controls to monitor the use of a system\xe2\x80\x99s software, and\n\n           o establishing procedures for preventing disruptions in service to\n    customers.\n\n    See Appendix C for a definition of the major categories of general controls.\n\n\n\nInformation System Controls\n\n    Three categories of security controls needed improvement--monitoring and\n    updating the security program, controls over access to the subsystem, and\n    providing for continuity of operations.\n\n    Monitoring and Updating Security-Related Changes. The DFAS Cleveland\n    Center was not fully monitoring and updating security-related changes in its\n    security program. Specifically, the risk assessment and the security plan were\n    not updated when facilities, operations, and risks changed; security personnel\n    did not have appropriate training, experience, or levels of security clearance;\n    and the Retiree and Casualty Pay Subsystem was not accredited as required.\n\n            Development of a Risk Assessment. OMB Circular No. A-130\n    requires the development of a risk assessment that includes the value of a\n    system, anal sis of threats and vulnerabilities, and the effect of current or\n    proposed safyeguards.\n\n    The DFAS Cleveland Center had developed a risk assessment as of June 9,\n    1994; however, significant changes had occurred for processing retired\n    payments. For example,\n\n            o Marine Corps and Army retired pay accounts were relocated to and\n    processed by the Cleveland Center as of July 1994 and April 1995, respectively\n    (these two Military Services were responsible for 722,O retired pay accounts\n    as of March 20, 1997), and\n\n           o retired pay accounts processed at Bratenahl, Ohio, (a suburb of\n    Cleveland, Ohio) were relocated to Chambersburg, Pennsylvania.\n\n                                             5\n\x0cControls Over the Retiree and Casualty Pay Subsystem\n\n\n      By updating and assessing changes affecting the Subsystem, the DFAS\n      Cleveland Center could lessen potential risks to its data.\n               Security Plans for Retired Pay Operations. The security plans for\n      retired pay operations were not updated to include new facilities, operations,\n      and risks. DFAS Regulation 8ooO. l-R, \xe2\x80\x9cInformation Management Policy and\n      Instructional Guidance,\xe2\x80\x9d August 23, 1996, states that the information security\n      officer is responsible for ensuring that security plans are developed and\n      maintained.\n\n      The DFAS Cleveland Center had developed two security plans. One plan,\n      dated July 9, 1993, provided guidance for securing the DRAS operations. The\n      other plan, dated July 1994, provided guidance for securing computer\n      operations at the three buildings that housed DFAS Cleveland Center personnel\n      and computer equipment.\n\n      Neither security plan had been updated to reflect current operating conditions.\n      For example, the plan for DRAS operations stated that it provided security\n      guidance for a computer in Cleveland, Ohio. However, computer processing of\n      retired pay by DRAS was transferred on August 27, 1995, to the Defense\n      Megacenter at Chambersburg, Pennsylvania. The other plan stated that when\n      computer terminals were unattended, adequate security was provided by locked\n      doors. However, computer terminals were located in offices without locked\n      doors.\n\n      The process of updating the security plans to reflect current facilities,\n      operations, and risks of the Retiree and Casualty Pay Subsystem could identify\n      deficiencies for corrective action that would improve security over the\n      Subsystem\xe2\x80\x99s data.\n\n              Security-Related Training and Experience. The DFAS Cleveland\n      Center did not fully ensure that personnel had the necessary security-related\n      training and experience. The National Computer Security Center\xe2\x80\x99s \xe2\x80\x9cA Guide to\n      Understanding Information System Security Officer Responsibilities for\n      Automated Information Systems, n May 1992, states that an information system\n      security officer should have the following minimum qualifications to provide a\n      solid technical background:\n\n                 o two years of experience in a computer-related field,\n\n                 0 one year experience in computer security, or mandatory attendance\n                   at a computer security training course,\n\n                 o familiarization with the operating system of the AIS (Automated\n                   Information System), and\n\n                 o a technical degree is desirable in computer science,   mathematics,\n                   electrical engineering, or a related field.\n\n\n\n\n                                                    6\n\x0c                           Controls Over the Retiree and Casualty Pay Subsystem\n\n\nOf the 11 information system security officers with retired pay responsibilities,\nonly 6 met at least 1 of the minimum requirements. The DFAS Cleveland\nCenter could identify better qualified information system security. officers by\nevaluating the security-related training and experience of its candidates.\n\n         Levels of Security Clearances. The levels of security clearances were\nnot reviewed before DFAS personnel were assigned to security duties. DOD\nRegulation 5200.2-R requires each civilian position in DOD to be classified as\ncritical-sensitive, noncritical-sensitive, or nonsensitive.\n\nThe DFAS Cleveland Center had appropriately identified the information\nsecurity officer as occupying a critical-sensitive position and had conducted an\ninvestigation into the background of the security officer. (An extensive\nbackground investigation is normally conducted before assignment to critical-\nsensitive jobs). However, the assistant information security officer\xe2\x80\x99s position\nwas classified as noncritical-sensitive; a less extensive National Agency Check\nwith written inquiries was completed.\n\nThe classification of noncritical-sensitive would be appropriately assigned to\ninformation system security officers (information system security officers are\nsubordinate to information security officers). In the absence of the information\nsecurity officer, the assistant information security officer would assume those\nduties; therefore, the assistant information security officer\xe2\x80\x99s position should also\nbe identified as critical-sensitive and be subject to the more extensive\nbackground investigation.\n\nAlso, only 2 of the 11 information system security officers assigned to the\nRetired Pay Directorate were occupying positions classified as noncritical-\nsensitive. The positions for the other nine information system security officers\nwere classified as nonsensitive. (All information system security officer\npositions should be classified as noncritical-sensitive because these officers have\naccess to personal information.) Further, neither the information security\nofficer nor the Security Directorate were aware of the sensitivity levels for these\ninformation system security officers.\n\nBy having the sensitivity levels reviewed by qualified security personnel (that is,\npersonnel who have knowledge of the level of security responsibilities) and by\nrequiring the appropriate background investigations before assigning personnel\nto security officer duties, the DFAS Cleveland Center would reduce its risk for\nassigning inappropriate personnel to security duties.\n\n       Accreditation of DRAS. DFAS Cleveland Center managers had not\nconducted an accreditation of DRAS when significant changes had occurred.\n\n\n\xe2\x80\x98Critical-sensitive\n _     .      _.    . positions\n                             _. for\n                                 _ information systems personnel include __    responsibilities\n                                                                                     . . .      . .for\nplanning, directing, and implementing a computer secunty program.             NoncntEal-sensitive\npositions include responsibilities for monitoring systems that allow access to or processing of\npersonal data. Also, personnel assigned to noncritical-sensitive   positions perform work that is\nreviewed by personnel occupying critical-sensitive positions.    All other positions are classified\nas nonsensitive positions.\n                                                  7\n\x0cControls Over the Retiree and Casualty Pay Subsystem\n\n\n      OMB Circular No. A- 130 requires managers to authorize the use of a system\n      before beginning or significantly changing processing in it. After a system has\n      been authorized (accredited) for use, it should be reaccredited every 3 years.\n\n      In addition, the National Computer Security Center\xe2\x80\x99s \xe2\x80\x9cIntroduction to\n      Certification and Accreditation,\xe2\x80\x9d January 1994, states that management must\n      continually track and reassess the level of security in a system. Based on these\n      reassessments, management must decide whether the level of security is\n      sufficient to allow the system to continue to operate.\n      No documentation was provided to show that DFAS Cleveland had accredited\n      the Retiree and Casualty Pay Subsystem. As previously stated, significant\n      changes had occurred that deserved reassessment of the level of security. In\n      addition, the Defense Megacenter that processed retired pay was only accredited\n      to operate on an interim basis.\n\n      By analyzing and accrediting the Subsystem, DFAS Cleveland Center\n      management could better ensure that the level of security over the operation of\n      the Retiree and Casualty Pay Subsystem was sufficient. Reaccreditations should\n      be made when significant changes occur.\n\n      Controls Over Access to the Retiree and Casualty Pay Subsystem. Controls\n      over access to the Retiree and Casualty Pay Subsystem were not always\n      sufficient to protect the Subsystem and its data from potential misuse or\n      destruction. Information security managers had not always produced or\n      reviewed reports showing access to the Subsystem, and physical access to\n      retired pay areas and computer facilities was sometimes not properly limited.\n\n               Frequency of Users\xe2\x80\x99 Accesses to the Subsystem. Information security\n      managers could not fully monitor unusual activity because they were not\n      consistently producing and reviewing reports showing the frequency of user\n      access to the Subsystem. DOD Standard 5200.28-STD, \xe2\x80\x9cDepartment of\n      Defense Trusted Computer System Evaluation Criteria,\xe2\x80\x9d December 26, 1985,\n      states that controls must be in place to protect automated systems from\n      unauthorized access. These controls should ensure that security procedures are\n      in place to create, maintain, and protect an audit trail of access to a system\xe2\x80\x99s\n      programs and files.\n\n      For the Retiree and Casualty Pay Subsystem, the Access Control Facility 2\n      software--produced by Computer Associates International, Incorporated--\n      provides this protection. The Access Control Facility 2 software can produce\n      daily reports that provide an audit trail of access to a system.\n\n      Despite the availability of these reports, DFAS Cleveland Center security\n      personnel were not always producing or using the reports. Therefore, security\n      personnel lacked an audit trail for detecting unusual or potentially illegal access\n      to the Subsystem\xe2\x80\x99s files.\n\n      The DFAS Cleveland Center had developed DFAS-CL 52 15. l-G, \xe2\x80\x9cA User\xe2\x80\x99s\n      Guide to Computer Security,\xe2\x80\x9d July 1994, to provide guidance for monitoring\n\n                                               8\n\x0c                      Controls Over the Retiree and Casualty Pay Subsystem\n\n\nuser access to the Subsystem. The guide states that the Information Security\nOffice will review to ensure that new users actually use their privilege to access\na system. If new users have not accessed a system within a 2-week period, the\naccess privilege will be deleted. The guide also states that the Information\nSecurity Office will delete the access privileges of any user that has not accessed\na system for a period of 90 days.\n\nSpecial reports produced by the Access Control Facility 2 software showed how\nfrequently users had accessed a system. As of November 15, 1996, 90 of 107\nnew users (84.1 percent) had not accessed the system in more than 60 days. In\naddition, no access was reported for 21 of the 107 new users (19.6 percent)\nsince December 1995. The Information Security Office had not removed these\nnew users\xe2\x80\x99 access privileges.\n\nFor other than new users, no access was reported for 246 of 288 users\n(85.4 percent) in over 120 days. In addition, no access was reported for 83 of\nthe 246 users (33.7 percent) since at least calendar year 1995. For three users,\nno access was reported since calendar year 1994. At the time of this review,\nthe Information Security Office had not removed any of these users\xe2\x80\x99 access\nprivileges. The absence of monitoring infrequent access to the system decreases\nthe opportunity for identifying and eliminating, in a timely manner, users that\nhave not demonstrated a need for accessing the retired pay subsystem.\n\nFurther, the DFAS Cleveland Center had not established controls to monitor\naccess to the system by some information system security officers. The DFAS\nCleveland Center had two information system security officers that could\nindependently establish a user\xe2\x80\x99s account and authorize that user access to\nspecific files in the subsystem. (A user\xe2\x80\x99s account includes information such as\nthe user\xe2\x80\x99s name, Social Securit number, and position title). Therefore, these\ninformation system security of Ptcers could grant themselves or other users\naccess to specific files in the Subsystem although that access was not needed or\nauthorized b management to perform retired pay duties. The Information\nSecurity Of fyice had not produced any reports from the Access Control Facility 2\nsoftware to monitor unusual accesses granted by the information system security\nofficers.\n\nMore control over identifying unusual or potentially illegal access to the\nsubsystem could be achieved by the Information Security Office monitoring\naccesses to the system and investigating unusual use of the system.\n\n        Access to DFAS Offkes and the Retiree and Casualty Pay\nSubsystem. Access to DFAS offices and the Retiree and Casualty Pay\nSubsystem was not always properly limited. DOD Directive 5200.28-STD,\n\xe2\x80\x9cSecurity Requirements for Automated Information Systems (AISs), n\nMarch 21, 1988, states that information systems shall be protected to prevent\nunauthorized disclosure, destruction, and modification.\n\nThe DFAS Cleveland Center had employees with computer access to the Retiree\nand Casualty Pay Subsystem in the North Point Towers Building and in the\nAnthony J. Celebreeze Federal Building (the Federal building) in Cleveland,\nOhio. DFAS shares working space in both buildings with other Federal\n                                      9\n\x0cControls Over the Retiree and Casualty Pay Subsystem\n\n\n      organizations; therefore, security was needed in both locations to protect the\n      Retiree and Casualty Pay Subsystem.\n\n      Unauthorized personnel could not obtain access to the retired pay offices in the\n      North Point Towers Building without either an access code to the automated\n      security system or an escort. However, improvements were needed in the\n      security at the Federal building. The guards in the Federal building checked for\n      identification badges, but they still allowed employees without badges and\n      visitors unescorted access to the building. The DFAS Cleveland Center had\n      recognized the need for better security at the Federal building and had obtained\n      badges for use by visitors. However, the badges were not used.\n\n      The Federal building housed DFAS computers that had access to the Retiree and\n      Casualty Pay Subsystem. These DFAS computers were located in unlocked\n      offices, and anyone allowed access into the Federal building could enter these\n      offices. Although DFAS computers in the Federal building were not available\n      for use by the public, a malicious act by a single unauthorized individual to\n      defraud or destroy retired pay data could result in disastrous consequences to the\n      integrity of the Retiree and Casualty Pay Subsystem.\n\n      Access to DFAS offices and its computers in the Federal building could be\n      restricted by establishing and enforcing better security measures such as issuing\n      badges to visitors and locking doors to DFAS office areas.\n      Supporting Critical Operations. Resources and facilities were not identified\n      for supporting critical operations in the event of a disaster. DOD Directive\n      3020.26, \xe2\x80\x9cContinuity of Operations (COOP) Policy and Planning,\xe2\x80\x9d May 26,\n      1995, states that DOD Components shall designate alternate headquarters or\n      emergency relocation sites.\n\n      The DFAS Cleveland Center developed a contingency plan in October 1994 that\n      addressed obtaining office space, equipment, and supplies in Cleveland, Ohio, if\n      the current office space and equipment were rendered not useable by some\n      event, such as a disaster. The DFAS Cleveland Center had not developed a\n      plan for moving retired pay operations (such as personnel and equipment) to an\n      alternate site geographically separated from Cleveland, Ohio, if a disaster\n      occurs that affects the entire Cleveland, Ohio, metropolitan area. Unnecessary\n      interruptions in the payment of more than 1.8 million retiree pay accounts could\n      be avoided by identifying office space and equipment to support critical\n      operations in the event of a disaster.\n\n\n\nCompliance with Security Requirements\n\n      Information system security controls were not fully implemented or maintained\n      because the DFAS Cleveland Center had not ensured compliance with some\n      security requirements for the Retiree and Casualty Pay Subsystem. DFAS\n      Regulation 8000. l-R, \xe2\x80\x9cInformation Management Policy and Instructional\n                                              10\n\x0c                         Controls Over the Retiree and Casualty Pay Subsystem\n\n\nGuidance,\xe2\x80\x9d August 23, 1996, states that the Directors of each DFAS Center,\nthe Centers\xe2\x80\x99 information security officers, and the information system security\nstaff have the first-line responsibility for ensuring compliance wrth information\nsystem security requirements.\n\nThe information security officer at a DFAS Center is the key individual\nresponsible for ensuring that security controls are implemented. The\ninformation security officer is responsible, in part, for ensuring that:\n\n        o security policies and safeguards are enforced for all personnel having\naccess to an automated information system,\n\n        o all users have been properly trained and are familiar with security\npolicies and procedures before being granted access to the system,\n\n          o audits are reviewed periodically to identify unauthorized users\xe2\x80\x99 actions,\n\n       0 protective or corrective measures are implemented if a security\nproblem exists,\n\n          o the security status of the system is reported to the Center\xe2\x80\x99s director,\n\n        o known or suspected vulnerabilities are evaluated to determine whether\nadditional safeguards are needed,\n\n          o security plans are developed and maintained,\n\n          o contingency plans are developed and tested at least annually,\n\n       o documentation is developed and maintained to support accreditations of\nautomated information systems, and\n\n          0 users are removed from access lists if no need exists for accessing a\nsystem.\n\nFurthermore, the Director of each DFAS Center has overall responsibility for\nensuring that appropriate security controls are implemented and maintained.\nThe Director, DFAS Cleveland Center, would have greater oversight and\nassurance that security controls have been implemented and maintained by\nrequiring periodic reviews on the controls over the Retiree and Casualty Pay\nSubsystem.\n\n\n\n\n                                           11\n\x0cControls Over the Retiree and Casualty Pay Subsystem\n\n\nConclusion\n\n      The inadequate security controls in the Retiree and Casualty Pay Subsystem\n      increases the possibility for unauthorized or fraudulent activity to occur or to\n      not be detected in a timely manner. Also, the inadequate controls lowers the\n      confidence that managers can place on the authorization, the accuracy, the\n      completeness, and the reliability of retired payments.\n\n      Deficiencies were identified in monitoring and updating the security program,\n      controls over access to the subsystem, and providing for continuity of\n      operations. Prior audits on DFAS systems have reported the need for similar\n      improvements as shown in this report. (See Appendix B for a summary of prior\n      audit coverage.)\n\n      Although we did not review controls over security in other systems at the DFAS\n      Cleveland Center, the potential exists for weaknesses similar to those described\n      in this report. The Director\xe2\x80\x99s implementation of recommendations in this report\n      should improve controls over all of the Center\xe2\x80\x99s systems.\n\n\n\nRecommendations, Management Comments, and Audit\nResponse\n\n      We recommend that the Director, Defense Finance and Accounting Service\n      Cleveland Center:\n\n              1. Update the risk assessment and the security plans to reflect\n      current facilities, operations, and risks. The plan should be updated when\n      significant changes occur in facilities, operations, or risks.\n\n              2. Evaluate the training and experience of personnel prior to their\n      selection for security-related responsibilities to ensure that candidates have\n      the minimum security training and experience qualifications.\n\n             3. Review sensitivity levels of security personnel positions and\n      require appropriate background investigations before assigning personnel\n      to security positions.\n\n             4. Correct any deficiencies that can prevent the accreditation of the\n      retired pay subsystem. Conduct reaccreditations when significant changes\n      occur.\n\n                5. Monitor accesses to the system and investigate unusual use of the\n      system.\n\n\n\n                                               12\n\x0c                       Controls Over the Retiree and Casualty Pay Subsystem\n\n\n       6. Limit access to offkes and computer equipment in the Federal\nbuilding.\n\n       7. Identify office space and equipment needed to support critical\noperations at an alternate site in the event of a disaster.\n\n        8. Conduct periodic reviews and correct any identified deficiencies\nin the security controls over the Retiree and Casualty Pay Subsystem.\n\nManagement Comments. DFAS Cleveland Center management concurred,\nstating that actions have been or will be taken by March 31, 1998, to implement\nthe recommendations.\n\nSpecifically, DFAS agreed to:\n\n      o update the risk assessment and security plans and review the\ndocuments annually or when significant changes occur;\n\n       o select security officers that meet the National Computer Security\nCenter\xe2\x80\x99s training and experience requirements;\n\n        o review sensitivity levels of security personnel positions, identify\npersonnel without appropriate background investigations, and initiate\ninvestigations for these personnel;\n\n        o complete the reaccreditation program and conduct reaccreditations in\nthe future when significant changes occur;\n\n       o develop procedures for monitoring daily reports of system accesses;\n\n       o limit access to offices and computer equipment in the Federal building;\n\n        o identify office space and equipment needed to support critical\noperations at an alternate site in the event of a disaster and use the General\nServices Administration, other DFAS Centers, DFAS operating locations, and\nother Government agencies as alternate sites depending on the severity of the\ndisaster; and\n\n        o conduct periodic reviews and correct deficiencies identified in the\nsecurity controls over the Retiree and Casualty Pay Subsystem through\nprocedures such as monitoring daily reports on accesses made to the Subsystem.\n\nDFAS Cleveland Center management also requested clarification of information\nrelating to Recommendation 3. Management was concerned that the draft. report\ninferred security clearance sensitivity levels were not designated for secunty\nofficer positions.\n\nAlso, DFAS Cleveland Center management requested the basis for the assertion\nthat the assistant information security officer position be designated critical\n\n\n                                         13\n\x0cControls Over the Retiree and Casualty Pay Subsystem\n\n\n      sensitive, the same level of clearance as the information security officer\n      position.\n\n      Audit Response.     Our intent in Recommendation 3 was not to infer that\n      security clearance sensitivity levels did not exist, rather to request that\n      management review the appropriateness of existing security levels. In the\n      information security officer\xe2\x80\x99s absence, the assistant officer would perform the\n      information security officer\xe2\x80\x99s duties and therefore should possess an equivalent\n      level of clearance. Thus, we recommended the need to review sensitivity levels\n      and to grant the same level of sensitivity to positions with the same duties.\n      DFAS comments were responsive to the recommendations; therefore, no further\n      comments are required.\n\n\n\n\n                                              14\n\x0cPart II - Additional Information\n\x0cAppendix A. Audit Process\n\n\nScope and Methodology\n\n    Scope and Methodology of Audit. The scope of the audit included reviews of\n    general controls related to the Retiree and Casualty Pay Subsystem of the\n    DRAS. Specifically, we:\n\n           o reviewed security plans and assessments of risk prepared by DFAS\n    personnel,\n\n           o assessed employees\xe2\x80\x99 experience and training qualifications on\n    automated information systems and computer security,\n\n           o evaluated controls for ensuring that accreditations were completed and\n    updated,\n           o analyzed reports showing frequency of access attempts into the Retiree\n    and Casualty Pay Subsystem,\n\n           o monitored access to DFAS offices and computer equipment,\n\n            o assessed independence and authority of the information security officer\n    and information system security officers to perform their assigned duties,\n\n           o reviewed plans for continuing operations, and\n\n           o interviewed security, human resource management, and retired pay\n    personnel assigned to the DFAS Cleveland Center.\n\n    Also, we reviewed policies and procedures related to establishing and\n    maintaining general controls. This guidance was provided in regulations,\n    directives, circulars, or standards developed by OMB, DOD, and the National\n    Computer Security Center.\n\n    The Retiree and Casualty Pay Subsystem was used to process transactions for\n    1.8 million retirees and to disburse a monthly average of $2.3 billion from the\n    DOD Military Retirement Trust Fund in FY 1997.\n\n    Use of Computer-Processed Data. We used reports generated by security\n    software packages to review the general controls established for the Retiree and\n    Casualty Pay Subsystem. Data were used from the Access Control Facility 2\n    security software--produced by Corn uter Associates International,\n    Incorporated--to review the extent o P access allowed to key retired pay and\n    security personnel. The Retiree and Casualty Pay Subsystem was used to\n    process sensitive, unclassified information (that is, personal information such as\n    Social Security numbers).\n\n                                            16\n\x0c                                                       Auuendix A, Audit Process\n\n    We were granted the ability to access and read information in the Access\n    Control Facility 2 security software. All testing of systems and security\n    software was performed in a controlled environment with management\xe2\x80\x99s\n    approval. Based on those tests, we concluded that the data reviewed were\n    sufficiently reliable to achieve the audit objectives and support the audit\n    conclusions.\n    Review Period and Standards. We performed this financial-related audit from\n    October 1996 through November 1997 in accordance with auditing standards\n    issued by the Comptroller General of the United States, as implemented by the\n    Inspector General, DOD. Accordingly, we included tests of management\n    controls considered necessary.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DOD. Further details are available on request.\n\n\n\nManagement Control Program\n\n    DOD Directive 5010.38, \xe2\x80\x9cManagement Control Program,\xe2\x80\x9d August 26, 1996,\n    requires DOD organizations to implement a comprehensive system of\n    management controls that provides reasonable assurance that programs are\n    operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of Review of Management Control Program. The scope of review of\n    the management control program included reviews on the adequacy of\n    management and security controls over the Retiree and Casualty Pay Subsystem.\n    Specifically, the review evaluated DFAS management controls over\n    establishment of a security program, access controls, software development and\n    change controls, segregation of duties, system software controls, and service\n    continuity. Also, the review evaluated the results of the DFAS Cleveland\n    Center\xe2\x80\x99s self-evaluation of those management and security controls during\n    FY 1994 through FY 1996 and its annual statement of assurance.\n\n    Adequacy of Management Controls. We identified a material management\n    control weakness as defined by DOD Directive 5010.38. The DFAS Cleveland\n    Center\xe2\x80\x99s security controls over the Retiree and Casualty Pay Subsystem could be\n    improved. Specifically, improvements were needed in monitoring and updating\n    the security program, controls over access to the Subsystem, and providing for\n    continuity of operations.\n\n    Six prior audits on DFAS have reported the need for similar improvements as\n    discussed in this report. The repeat occurrence of these conditions suggests that\n    a material weakness in security controls for information systems may exist\n    throughout DFAS. (See Appendix B for a summary of prior audit coverage).\n\n    The recommendations in this report, if implemented, will improve security\n    controls over the Retiree and Casualty Pay Subsystem. A copy of the report\n    will be provided to the senior official responsible for management controls at\n    the DFAS Cleveland Center.\n\n\n\n                                            17\n\x0cAppendix A. Audit Process\n\n\n      Adequacy of Management\xe2\x80\x99s Self-Evaluation.        The DFAS Cleveland Center\n      had conducted a self-evaluation on June 9, 1994, of the security controls on the\n      Retiree and Casualty Pay Subsystem. The self-evaluation correctly identified\n      the risk associated with the program as high. However, in its evaluation, the\n      DFAS Cleveland Center did not identify the specific material management\n      control weakness identified by the audit. Further, the evaluation should have\n      been updated, when significant changes occurred, since it was a high risk area.\n\n\n\n\n                                             18\n\x0cAppendix B. Summary of Prior Coverage\n\n   Six Inspector General, DOD, reports covered issues related to this audit.\n\n   KG, DOD, Report No. 97-052, \xe2\x80\x9cVendor Payments-Operation Mongoose,\n   Fort Belvoir Defense Accounting Offke and Rome Operating Location,\xe2\x80\x9d\n   December 23, 1996. The report concludes that management of security over\n   payment data at the DFAS Operating Location at Rome, New York, did not\n   comply with DOD security policy. As a result, unauthorized users could\n   compromise or manipulate data without risk of detection. DFAS concurred\n   with the recommendations and stated that it would:\n          o assign a minimum number of individuals to maintain the password file\n   and the security table;\n\n         o establish procedures to remove terminated employees\xe2\x80\x99 from the\n   Computerized Accounts Payable System;\n\n           o discontinue allowing users to both input and certify disbursement\n   transactions;\n\n           o distribute user access listings to supervisors each month to verify\n   access rights; and\n\n          o develop and implement a contingency plan to recover computer\n   records in the event of a disaster.\n\n   IG, DOD, Report No. 96-175, \xe2\x80\x9cComputer Security Over the Defense Joint\n   Military Pay System,\xe2\x80\x9d June 25, 1996. The results in the report are\n   summarized below.\n\n          o User access to the military pay system at the DFAS centers in Denver,\n   Colorado, and Indianapolis, Indiana, was not adequately controlled and limited.\n   Therefore, resources were not secure and the integrity of pay data for Army and\n   Air Force servicemembers was at risk.\n\n           o Responsibilities for authorizing and controlling access to the military\n   pay system were not clearly defined and understood at one center and two\n   supporting organizations. Accordingly, access to the pay system and sensitive\n   Army and Air Force pay data was improperly attained and security oversight\n   was inadequate.\n\n           o Administrative controls over the security of the pay system at the two\n   centers and three supporting organizations needed improvement. As a result,\n   the integrity of the military pay data was vulnerable.\n\n   The report recommended that reviews be conducted at the two centers to ensure\n   that user access was properly controlled and limited; improvements were made\n   in defining responsibilities for authorizing and controlling access to the military\n   pay system; security administrator positions were established with appropriate\n\n\n                                            19\n\x0cAppendix IL Summary of Prior Coverage\n\n\n      authority and oversight capabilities; and organizations were required to identify\n      and control all critical-sensitive positions.\n\n      The Defense Information Systems Agency and DFAS concurred with the\n      findings and recommendations.\n\n      IG, DOD, Report No. 96-124, \xe2\x80\x9cSelected General Controls Over the Defense\n      Business Management System,\xe2\x80\x9d May 21, 1996. The report states that\n      computer security at the Defense Finance and Accounting Service Financial\n      Systems Activity in Columbus, Ohio, did not adequately protect the Defense\n      Business Management System development code from compromise. Also, the\n      Financial Systems Activity did not adequately control program software changes\n      to ensure that only authorized changes were made.\n\n      As a result, these   general control weaknesses compromised the reliability of the\n      Defense Business     Operations Fund financial statements. These weaknesses also\n      increased the risk   of fraud, sabotage, and disruption to the operations of the\n      DOD Components        that rely on the Defense Business Management System.\n\n      The Defense Finance and Accounting Service concurred with recommendations\n      made concerning computer security; software change management practices\n      (except for a review of the existing software code); and disaster preparedness.\n      The Defense Information Systems Agency concurred with the recommendations\n      to complete, finalize, and test the disaster recovery plan.\n\n      The Defense Logistics Agency agreed to update their disaster recovery plan but\n      delayed performing a disaster recovery risk analysis until it could determine a\n      new location for its computer laboratory. Also, the Defense Logistics Agency\n      agreed with periodic testing of its disaster recovery plan.\n\n      IG, DOD, Report No. 96-053, \xe2\x80\x9cFollowup Audit of Controls Over Operating\n      System and Security Software and Other General Controls for Computer\n      Systems Supporting the Defense Fiince and Accounting Service,\xe2\x80\x9d\n      January 3, 1996. The related report states that two Defense megacenters--\n      Defense Megacenter, Saint Louis, Missouri, and Defense Megacenter, Denver,\n      Colorado--had made commendable efforts to implement 22 of the 25 prior audit\n      recommendations.\n\n      At the Defense Megacenter, Denver, Colorado, the planned corrective actions\n      on the remaining three recommendations were considered adequate, although\n      incomplete. However, a new security software problem was identified during\n      the audit that required corrective action by the Defense Information Systems\n      Agency, Western Hemisphere at Fort Ritchie, Maryland.\n\n      The Defense Information Systems Agency, Western Hemisphere and the\n      Defense Megacenter, Denver, Colorado, concurred with all recommendations to\n      complete corrective actions from prior audit reports.\n\n\n\n\n                                               20\n\x0c                                           .\n                                  Annendur B. Summary of Prior Cover=\n\nIG, DOD, Report No. 95-263, \xe2\x80\x9cControis Over Operating System and\nSecurity Software and Other General Controls for Computer Systems\nSupporting the Defense Fiance and Accounting Service,\xe2\x80\x9d June 29,1995.\nThe report states that the Defense Finance and Accounting Service, the Defense\nInformation Systems Agency, and the Defense Logistics Agency made\ncommendable efforts to implement prior audit recommendations.\n\nHowever, additional corrective actions were required in some areas. The\nreview followed up on 87 of the 112 recommendations made in prior audit\nreports. Audit followup on 25 recommendations was deferred because the\norganizations to which the recommendations were made were being consolidated\ninto various Defense Information Systems Agency megacenters.\n\nOf the 87 recommendations, the Defense Finance and Accounting Service, the\nDefense Information Systems Agency, and the Defense Logistics Agency had\ntaken adequate corrective actions on 67 recommendations. Additional\ncorrective actions were required on 20 recommendations.\n\nThe Defense Finance and Accounting Service and its Financial Systems Activity\nat Denver concurred with the recommendations to improve physical security at\none Defense megacenter and to eliminate a security exposure on one system.\nThe Defense Information Systems Agency concurred with 11 recommendations\nand partially concurred with 3 recommendations to improve computer security,\noperational efficiency, and management controls at computer centers.\n\nThe Defense Logistics Agency concurred with all recommendations and stated\nthat it would develop and implement controls over supervisor calls (with\nintegrity exposures); export corrected supervisor calls to the Defense\nMegacenter at Columbus, Ohio; and finalize procedures for managing the\nprocessing and exporting of changes to its operating system.\n\nIG, DOD, Report No. 94-060, \xe2\x80\x9cGeneral Controls for Computer Systems at\nthe Information Processing Centers of the Defense Information Services\nOrganization,\xe2\x80\x9d March 18, 1994. The report states that the Defense Business\nManagement System\xe2\x80\x99s users neglected to change their passwords within\n180 days. In addition, numerous users had not changed their passwords in over\n1 year.\n\nThese conditions had occurred because security personnel at the Defense\nInformation Services Organization-Columbus Center did not periodically review\nthe age of passwords nor deny access to users whose passwords had not been\nchanged in 180 days. The report recommended that employees be automatically\nrequired to change their passwords every 90 days. The Defense Information\nServices Organization concurred with the recommendation and stated that it\nwould install an automated password change facility that would force users to\nchange their passwords every 90 days.\n\n\n\n\n                                      21\n\x0cAppendix C. Major Categories of General\nControls\n\n   We evaluated six major categories of general controls.  Those categories\n   included the security program, access controls, software development and\n   change controls, duty segregation, system software controls, and service\n   continuity.\n\n   Security Program.   The security program should provide a framework for\n   managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of the organization\xe2\x80\x99s computer-related controls.\n\n   Access Controls.    Access controls limit or detect access to computer resources\n   (such as data, equipment, and facilities) thereby protecting the resources against\n   unauthorized modification, loss, and disclosure.\n\n   Software Development and Change Controls. Software development and\n   change controls prevent unauthorized programs or modifications to an existing\n   program from being implemented.\n\n   Duty Segregation.     Duty segregation includes policies, procedures, and an\n   organizational structure established so that one individual cannot control key\n   aspects of computer-related operations and thereby conduct unauthorized actions\n   or gain unauthorized access to assets or records.\n   System Software Controls.   System software controls limit and monitor access\n   to the powerful programs and sensitive files that control the computer equipment\n   and secure computer programs supported by the system.\n\n   Service Continuity.    Service continuity controls ensure that, when unexpected\n   events occur, critical operations continue without interruption or are promptly\n   resumed and critical and sensitive data are protected.\n\n\n\n\n                                           22\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nAssistant Secretary of Defense (Public Affairs)\nDirector, Defense Logistics Studies Information Exchange\n\n\nDepartment of the Army\nAuditor General, Department of the Army\n\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nAuditor General, Department of the Navy\n\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Finance and Accounting Service Cleveland Center\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\n\n\n\n\n                                             23\n\x0cAppendix D. Report Distribution\n\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\nTechnical Information Center, National Security and International Affairs Division,\n   General Accounting Office\n\nChairman and ranking minority member of each of the following congressional\n  committees and subcommittees:\n   Senate Committee on Appropriations\n   Senate Subcommittee on Defense, Committee on Appropriations\n   Senate Committee on Armed Services\n   Senate Committee on Governmental Affairs\n   House Committee on Appropriations\n   House Subcommittee on National Security, Committee on Appropriations\n   House Committee on Government Reform and Oversight\n   House Subcommittee on Government Management, Information, and Technology,\n      Committee on Government Reform and Oversight\n   House Subcommittee on National Security, International Affairs, and Criminal\n     Justice, Committee on Government Reform and Oversight\n   House Committee on National Security\n\n\n\n\n                                              24\n\x0cPart III - Management   Comments\n\x0cDefense Finance and Accounting Service\nComments\n\n                     DEFENSE        FINANCE      AND     ACCOUNTING          SERVICL\n\n                                     I93 I JLtCCISON     DAVIS   MIGWWAV\n                                         ARLINGTON.    VA 2224042S    I\n                                                                                          JAN   28 IS\n\n\n    .   XERORANDUM FOR DIRECTOR, FINANCE AND ACCOUNTING DIRECTORATE,\n                         INSPECTOR GENERAL, DEPARTRRNT OF DEFENSE\n\n        SUBJECT:      DOD IG Draft Report, nSclcctcd General Controls\n                      Over the Retiree and Casualty Pay Subsystem at\n                      the Defense Finance  and Accounting Service-\n                      Cleveland Center, 'Idated November 1, 1997\n                      {Project 6X-0093)\n\n\n             The comments to the findings and recommendations\n        documented in the subject draft report are included as\n        attachments to this memorandum.\n                My point     of   contact is Patricia McGriff,              DFAS-HP/FM,\n        (703)    607-5062.\n\n\n\n\n                                     ,:yl\xe2\x80\x9dL   Brigadier Canera\n                                    ,j\n                                     !        Deputy Dire&cr:fk            Finance\n\n        Attachments:\n        As stated\n\n\n\n\n                                                                 26\n\x0c                    Defense Finance and Accounting                        Service Comments\n\n\n\n\nRecommendation        1: The Defense Finance and Accounting Service -\nCleveland Center update Ihe risk assessmentand the security plans to reflect\ncurrent facilities, operations, and risks. The plan should k updated when\nsignificant changesoccur in facilities. operations. Or risks.\n\nDFAS-CL     Response:    Concur.\n\nDFAS-CL Comments: The Cleveland Center is currently in the process of\ncertifying and accrediting all DFAS-CL systemsincluding the Retiree and\nCasualty Pay Subsystem (RCPS). Tk Cettification and Accreditation (C&A)\nprocess for the Defense Retiree and Ann&ant Pay System (DRAS), of which\nRCPS is a pan, is about one third compleie. Once the C&A is oomplae-&\ndocuments will be reviewed annually. or if siyificant cknger occur. such as\nthe proposed Defense Information SystemsAgency (DISA) move of Defense\nMegacenters @MCs) scheduledfor mid-1998. Tk operations for RCPS are\ntargeted to move from DMC Chnmbershury(DMC-C) to DMC Mechanicsburg\n(DMC-M) in mid-1998.\nEstimated Completion Date: March 3 I. 1998.\n\nRecommendatiun 2: The Defense Finance and Accounting Service -\nCleveland Center evaluate the training and experience of personnel prior to\ntheir selection for security relared responsibilitiesto ensure rhat candidates have\nthe minimum security training and expericncc qualificntions\n\nDFAS-CL     Response:    Concur.\n\n DFAS-CL Commtnb:           The Cleveland Center is currently in the process of\n restructuring its Information Syslem Security Officer (ISSO) and Terminal Area\n Security Oflicer (TASO ) posiGons There will be one ISSO for each system\nowned by DFAS-CL. Tk TASO position will be responsiblefor sys~~n access\ncontrol. ISSO and TASO positionsfor the RCPS will be tilled based on\nselection criteria provided by DFAS-CL\xe2\x80\x99s Information Security OtIice (ISO).\nThe selection criteria utilized is in accordance with tk rcquiremcnts of the\nNational Computer Security Ccnler\xe2\x80\x99s \xe2\x80\x9cA Guide to Understanding Informalion\nSystem Security Oflicer Responsibilitiesfor Automated Information Systems \xe2\x80\x9d\nThe selection criteria includes: two years of experience in a computer related\nfield. familiariudon with the operating systemof RCPS. good managcmcnt\nskills and the ability to deal with all ltis of personnelfrom top management 10\nindividual users It is expected that tk Designated Approving Authority\n(DAA) will issuethe official ISSWASO         appointment letters sometime in\nJanuary 1998. after the required background invcatigationshave been\nperformed. The DFAS-CL 1nformaGonSecurity ORice staff will conduct\ncomputer security training after tk official appointmentsare announced by the\nDAA.\nEstimated   Completion   Date:     March 31. 1998.\n\n\n\n\n                                          27\n\x0cDefense Finance and Accounting Service Comments\n\n\n\n\n             Recommendation 3: The lkfht          Finance and Accounting Service -\n             Cleveland Center review sensitivity In& of .security personnel positions and\n             require appropriate background investigations before assigning personnel to\n             security positions.\n\n             DFAS-CL Response: Concur.\n\n             DFAS-CL Comments::        Sensitivity levels of security personnel positions will be reviewed\n             by the Security Office, DFAS-CL Plans and Management Directorate in conjunction with\n             the restructuring program for the ISSO wd TASK positions. In cases whele the\n             appropriate investigarion has not been conducted, nction will be taken to initiate the\n             investigation\n\n            It is the employing management\xe2\x80\x99s responsibility to complete the DFAS Form 113,\n            \xe2\x80\x9cPosition Designation Record.\xe2\x80\x9d It is the responsibility of the Customer Support Unit\n            (CSU) of the Human Resources Office IO ensure that one is on record for each position.\n            The DFAS Form I I3 identifies the sensitivity of the Position and should he completed\n            when a position is created or when there are changes to the duties that call for a different\n            sensitivity. This will be an ongoing process.\n\n            Prior IO occupancy ofa position. the DFAS Form 114, \xe2\x80\x9cPre-Appointment Investigative\n            Requirement Check,\xe2\x80\x9d should be processed (from the CSU to the Security Office and\n            return) to ensure the appropriate investigalive requirements arc met for the position being\n            occupied This will be an ongoing process.\n\n                 Additionally. request clarification ofthe following information provided in the\n            DOD 1G Drafi Report, page 7 under \xe2\x80\x9cLevels of SecudyClcaranccs.\xe2\x80\x9d\n\n                    The first paragraph, refers to the levels of security clearances noI being reviewed\n            prior to &gnment     and mentions the DOD S200.2-R requirement that each civilian\n            position be classified as critical sensitive, noncritical sensitive or nonsensitive. This\n            indicates the p&lions have not been designaM Yet, the remainder ofthe section\n            seemingly refers to inaccurate designations - an indication the positions have been\n            designated but the DODIG disagrees with the designation\n\n                     Paragraph three of the same section, states the assistant information sear&y\n            officer\xe2\x80\x99s (AISO) position should be desipted critical sensitive because in the absence of\n            the information security officer those duties would be assumed by the AISO. Rquest the\n            basis for this rquirement.\n\n            Estimated Completion      Date March 31. 1998\n\n\n\n\n                                                      28\n\x0c                   Defense Finance and Accounting Service Comments\n\n\n\n\n                                                                            3\n\nRecommendation 4: \xe2\x80\x98l%a Dcfcnse Fhunsc and Accounting Service -\nClcvcland Center correct any deficiencies that can prevent the accreditation of\nthe rctircd pay subsyrtcm. Conduct tc-accreditations when significant ohangcs\noccur.\n\nDFAS-CL     Response: Concur.\n\nDFAS-CL Comments: The m-accreditation program for the RCPS is\ncurrently in process. The initial 3 phws of the accreditation program arc\nschcdulcd to bc completed by January 2 i, 199% The remaining pli,Ci of the\nprogram will bc complctcd by the second quarter nf FY 1998.\n\nEstimated   Completion   Date: Murh     31. 1998.\n\n\n\nRecommendation 5: The Dcfensc Finance and Accounting Scrvicc -\nCleveland Center monitor a~~cssesto !hc system and investigate unusual use of\nthe system.\n\nDFAS-CL Response: Concur\n\nDFAS-CL Comments: The Access Control Facility 2 (ACFZ). which is the\nsecurity platform for RCPS at DMC-C. generates daily rcpons to help monitor\nuser access to RCPS. DMC-C regularly monitors the daily reports to determine\nif there have been attempts by unauthorized users to access the system DPAS-\nCL would be notified if unauthorized usage of the system does rppcar on the\nACF? reports. DFAS-CL was informed during recent discussions with DMC-C\nthat there has been no unusual or unauthorized USCof the RCPS system\nAdditionally. DAK-C informed DFAS-CL how to access the ACF2 daily\nreports and DFAS-CL is now developing proccdurcr to monitor these reports\non a regular basis. Once the new procedures arc in place both DFAS-CL and\nDMC-C will be monitoring the daily reports. Participation by both\norgnniutions will have the effect of a dual internal control. The proccdurcs ure\ntargeted to be in place by the end of Fcbruavy 1998.\n\nEstimated Completion     Date: February 28. 1998.\n\n\n\nRecommendation 6: The Defense Finance and Accounting Service -\nCleveland Center limit access to ofkcs and computer equipment in the Federal\nBuilding.\n\nDFAS-CL Response: Concur (Action Completed)\n\n\n\n\n                                      29\n\x0cDefense Fiance     and Accounting Service Comments\n\n\n\n\n             DFAS-CL Comments:        DFAS-CL is a tenant in the AL Cdebrczze Federal\n            Building (FOB), located in Cleveland. Ohio. Access to the FOB is controlled\n            and monitored by the Federal Protective Service (FPS). Upon entrance to the\n            FOB non-DOD visitors are required to go through a metal detector device and\n            are aIso subject to a body scan by electronic baton. At the end of the day,\n            doors arc locked by the last employee departing the work area and the FPS also\n            conducts floor patrols to ensure doors are locked. Additionally, DFAS-CL\n            employees are constantly briefed on security awareness issues by attending\n            periodic meetings on security and also by ckcuonic messagesposted on the E-\n            maii bulletin board.\n\n            In addition to the general FOB safeguards descriied above, other physical and\n            electronic controls are in place. These include: the issuance and personal\n            display of the DFAS-CL security ID badge by Center employees. required DOD\n            badges for enrrance into the building. cipher locks installed on computer room\n            doors to ensure unauthorized access is denied. and password prctected\n            computer systems to ensure against unauthorized system access\n\n             Estimated Completion     Date: Action completed.\n\n\n\n            Recommendation I: The Defense Finance and Accounting %-vice -\n            Cleveland Center identity ofice space and equipment nrrdcd to soppon critical\n            operations at an alternate site in the event of a disaster\n\n            DFAS-CL     Response: Concur (Action Completed)\n\n\n            DFAS-CL Comments: DFAS-CL already has a Continuity of Operations Plan\n            (COOP) and a Living Disaster Recovery Plan System (LDRPS). Within these\n            plans it specitically identifies and lists essential equipment needed for DFAS-CL\n            to continue critical operations DFAS-CL does no1 speciftca)ly idcntif$ or\n            secure office space until the need is id&tied based upon the emergency or\n            disaster. However, space dternatives are available depending upon the\n            emergency space requirements.\n\n\n            If the need is partial or a small block of space is nccdcd. DFAS-CL would mryto\n            accommodate itself internally by utilizing other areas within tk DFAS-CL\n            allotted office space This would include the North Point operation which is a\n            Etcility separate from tk FOB. If DFAS-CL could not meet its needs in this\n            manner, the General Services Administration would be called upon to provide\n            additional space within the FOB. In the event DFAS-CL operations were\n            completely destroyed, other alternatives would be pursued. Other DFAS\n            Centers and OPLOCs would be called upon to see whatassistance could be\n            offered As a second alternative DF.AS-CL would look to other government\n\n\n\n\n                                                            30\n\x0c                          Defense Finance and Accounting Service Comments\n\n\n\n\nagencia for help and as a third alternative DFAS-CL would work with the\nGSA Chicago Region to find suitable local office space to meet our needs.\n\nEstimated Completion Dntc: Action completed.\n\nRecommendation 8: The Defense Fiice            and Accounting Service -\nCleveland Center conduct periodic reviews and correct any identified\ndeficiencies in the security controls over the Retiree and Casualty Pay\nSubsystem.\n\nDFAS-CL    Rupoose:    Concur.\n\nDFAS-CL Commenta: DFAS-CL is already pursuing corrective action in\nregard to this recommendation. Please see the DFAS-CL comments for\nrecommendation #5.\n\nEstimated Completion Date: February 29. 1998\n\x0cAudit Team Members\n\nT\xe2\x80\x99heFinance and Accounting Directorate, Office of the Assistant Inspector\nGeneral for Auditing, DOD, produced this report.\n\nF. Jay Lane\nKimberley A. Caprio\nDennis L. Conway\nCynthia G. Williams\nMarcia L. Ukleya\nDeborah curry\nTraci Y. Sadler\n\x0c\x0c"